On Fri, 13 Jun 1997, Captain Napalm wrote:
>
> The first is via sendmail. There used to be a way to get into a debugging
> mode and have sendmail run arbitrary commands, and since it often ran as
> root, this was one way someone could break into a system. The debug mode of
> sendmail is the "wizard" mode, but I came onto the e-mail scene just after
> this hole was closed (after the Robert Morris Internet Worm of '88). I
> don't know more than that, sorry.
sendmail wasn't part of Xenix in those days -- all networking aside from
uucp was extra, and mostly still being developed.
> The second requires the Intel 386 Assembly and assumes you have fingerd
> running (has to be fingerd). What this entails is feeding the fingerd
> program too much information, which overwrites the program stack. With
> careful programming, the excess information can be code that will then run
> arbitrary commands (since fingerd often runs as root). This will also
> require you to know where in memory the executable is loaded into so you
> provide a valid return address on the stack.
No fingerd, either. Or _any_ real networking daemons in Xenix at the
time.
> If you don't have either of those, try finding an interactive setuid root
> program you can run, as it too, may be possible to overrun an input buffer.
No real holes that I remember from Xenix in that era -- amazingly secure
for a Unix port in those days.
> There may be easier ways, I just don't know of them offhand (do you have
> access to another Xenix system? Could you mount your drives to it? Can you
> boot MS-DOS on it (from the floppy)? If so, you might be able to use Norton
> Utilities to scan the harddrive for the password file and modify it there
> (and if not Norton, then some other low level disk editor program)).
Well, I know that the setuid hole in Profile 16 for Tandy 68000 Xenix
was never fixed. But filePro 16plus for the 386 version didn't have it.
Back when I broke into over half the Tandy 6000 systems in the Radio
Shack Area Training and Support Offices in 1986 (by invitation from
management -- I'm a hacker, not a cracker) my tools were lists of the
employees' names (works nine out of ten times) and knowledge of the
hole in Profile 16. Which I'd already published a fix for. (An
expanded version of which is available in CIS UNIXFORUM under the
filename SECURE.MS -- I'd delete it, but the account with authority to
do so is ancient history).
--
Ward Griffiths
"America is at that awkward stage. It's too late to work within
the system, but too early to shoot the bastards." --Claire Wolfe
Received on Sat Jun 14 1997 - 17:59:32 BST